Powered by L-Soft's LISTSERV mailing list managerhttp://www.lsoft.com/products/listserv-powered.asp
http://www.lsoft.com/images/listserv_small.gifRe: CCTV and SARs some scenarios about PII (I hope there are easy answers) (by implication this also applies to telephone recording) https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;3aa31205.1803
Afternoon Lawrence,<br><br>Just following Ian's point about unstructured data, the ICO Code of Practice (2017) confirms:<br><br>"There is one narrowly defined situation in which the likely cost of complying with a SAR is relevant in determining whether an organisation must comply. Where a request relates to 'unstructured personal data' (as defined in section 9A(1) of the DPA) held by a public authority, the authority is not required to comply with the request if it estimates that the cost of doing so would exceed either £450 or £600. The relevant limit depends on the identity of the public authority (see the [...]
2018-03-19T14:23:56+00:00Jones Mark (BCIS)https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;3aa31205.1803Re: CCTV and SARs some scenarios about PII (I hope there are easy answers) (by implication this also applies to telephone recording) https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;9542b78d.1803
I don't see any difference between conceptually between CCTV recordings and unstructured personal data held by a public authority. We may well hold the data subject's personal data, but we have no way of knowing unless they draw it to our attention specifically.<br><br>In terms of narrowing the request (in in practical terms), I think all we can do is highlight that we have CCTV and that it has to be requested separately, i.e. by time and place, etc. [...]
2018-03-19T12:06:24+00:00Donald Henderson - CHXhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;9542b78d.1803CCTV and SARs some scenarios about PII (I hope there are easy answers) (by implication this also applies to telephone recording) https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c639c486.1803
Dear All,<br>I am wondering if anyone has addressed this issue. Apologies if it is already addressed on this list. I have not seen anything about it so I thought I would ask.<br><br>Under the new DPA the applicant only needs to explain that they want their personal data and identify themselves to start the process. It is for the organisation to know what it holds. [...]
2018-03-19T10:30:11+00:00Lawrence Serewiczhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c639c486.1803Q re providing info including privacy notice https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;606820f3.1803
Currently we give privacy notices over the phone. It's often the first point<br>of contact and the main medium of communication.<br><br>So how is this to be interpreted?<br><br>1. The controller shall take appropriate measures to<br>provide any information referred to in Articles 13 and 14 and any<br>communication under Articles 15 to 22 and 34 relating to processing to the<br>data subject in a concise, transparent, intelligible and easily accessible<br>form, using clear and plain language, in particular for any information<br>addressed specifically to a child. The information shall be provided in<br>writing, or by other means, including, where [...]
2018-03-17T19:01:48-00:00Sheelaghhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;606820f3.1803Re: Friday afternoon or early evening question... https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a0172322.1803
Well not necessarily. The exemption applies to references /given/, not<br>references /received/. So an alternative reading would be that the<br>position has not changed - but I can see the potential ambiguity.<br><br>Best wishes,<br><br>Paul<br><br>Paul Ticher<br>22 Stoughton Drive North, Leicester LE5 5UB<br>0116 273 8191<br><br>On 17/03/2018 09:48, GERTZ Renate wrote:<br>&gt;<br>&gt; Hi Andrew,<br>&gt;<br>&gt; I’ve been looking at the same thing and it does read as though<br>&gt; references are now exempt per se. It can only have been done on<br>&gt; purpose because, as you said, so much has been a cut-and-paste job.<br>&gt;<br> [...]
2018-03-17T10:51:56+00:00Paul Ticherhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a0172322.1803Re: Friday afternoon or early evening question... https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c90498b2.1803
The University of Edinburgh is a charitable body, registered in<br>Scotland, with registration number SC005336.
2018-03-17T09:48:27+00:00GERTZ Renatehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c90498b2.1803Friday afternoon or early evening question... https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;31ac88c3.1803
... is it just me, or does the new Data Protection Bill contain a small but significant change:
2018-03-16T17:33:19+00:00Andrew Charlesworthhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;31ac88c3.1803Vacancy - Senior Data Protection Analyst - Office of the Ombudsman, Cayman Islands CORRECTION https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1d076527.1803
With apologies, please note the correct link for the advertised position in the Office of the Ombudsman, Cayman Islands:<br><br>http://www.gov.ky/portal/page/portal/cighome/government/jobs/vacancies?p_id=10023793&amp;p_pagegroupid=1142<br><br>Best regards,<br><br>[OMBUDSMAN_LOGO]<br><br>Jan Liebaers | MA, CA, LLM<br>Deputy Ombudsman (Information Rights)<br>+1 345 244 6161<br>ombudsman.ky
2018-03-15T19:00:22+00:00Liebaers, Janhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1d076527.1803Re: SAR https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;722c0548.1803
I think the need for a customer to actively make an SAR request is covered off in the language used.<br><br>The regulation uses terms like &quot;to obtain&quot; and &quot;to exercise that right&quot; as being something the Data Subject can do rather than the 'be given' or 'be presented with' that would apply if it was a default Data Controller periodic (!) task. Recital 63 helps clear things up in that regard. [...]
2018-03-15T10:06:22+00:00Owen Thomashttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;722c0548.1803Vacancy - Senior Data Protection Analyst - Office of the Ombudsman, Cayman Islands https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7657259a.1803
The Office of the Ombudsman, Cayman Islands is currently advertising for the position of Senior Data Protection Analyst:<br><br>http://thehub.gov.ky/vacancy/senior-data-protection-analyst/<br><br>Best regards,<br><br>[OMBUDSMAN_LOGO]<br><br>Jan Liebaers | MA, CA, LLM<br>Deputy Ombudsman (Information Rights)<br>+1 345 244 6161<br>ombudsman.ky
2018-03-14T20:56:51+00:00Liebaers, Janhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7657259a.1803Info Gov role with Kensington & Chelsea/Westminster Council https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;12613a8c.1803
Hi all<br><br>Apologies for cross posting.<br><br>An exciting opportunity has come up to join the award winning Shared IT Service as an Information Governance &amp; Management Officer<br>In addition to the advertised description of the role please note the following:<br><br>The team is responsible for information governance across two boroughs. The team is currently leading on GDPR, records management, FOIs and data handling. We will be helping departments over the course of the next year to deliver on GDPR remedial action plans, in addition to rolling out a new case management system for FOIs and GDPR within Kensington. That is [...]
2018-03-14T18:32:29+00:00Stott, Paul: CP-ICT: RBKChttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;12613a8c.1803Re: FW: New immigration exemption puts EU citizens at considerable disadvantage.... https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;57d8beb4.1803
See this link for an interesting discussion at the CPDP 2018 Conference<br>around the scope of the restrictions granted to member states under<br>Article 23.<br><br>https://www.youtube.com/watch?v=l_dKx3nMm_8<br><br>A number of questions directed at Karolina Mojzesowicz, Deputy Head of<br>Data Protection, EU Commission on this issue. Her advice included that<br><br>&quot;Article 23 gives Member states the possibility to restrict the<br>application of certain rights in very specific areas for very specific<br>aims and never undermining the application of Article 8 and the<br>Charter.&quot; [...]
2018-03-14T14:36:50+00:00Stephen Williamshttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;57d8beb4.1803Re: GDPR proofed DP policy https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a3ce98d9.1803
Hi Kate<br><br>I will be working on mine after Easter.<br><br>I'm new to FE and HE but understand that there was a Code of Conduct for FE and HE drawn up (copy on JISC is really old).<br><br>I just wondered if anyone had looked at updating this for GDPR or would be interested in forming a working group to do this? [...]
2018-03-14T11:52:11+00:00Fiona Whitworthhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a3ce98d9.1803GDPR proofed DP policy https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c300d11f.1803
Hi all<br><br>Do any of you have a GDPR proofed DP policy that you wouldn't mind sharing with me on or off the list please?<br><br>Very grateful for any assistance.<br><br>With kind regards<br><br>Kate
2018-03-14T11:30:04+00:00Kate Glanvillehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c300d11f.1803Redaction - SARs https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ff7a83bb.1803
Morning all<br><br>I am currently writing some guidance around redaction of information for SARs (in particular Children's Social Care requests).<br><br>I was wondering if anyone might have something they would be willing to share?<br><br>Thanks<br><br>Joelle
2018-03-13T11:46:55+00:00Joelle Taylorhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ff7a83bb.1803Re: Verbally discussing personal data https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a7ad0dfb.1803
Hi all Thanks very much for your help, much appreciated. With kind regards Kate Kate Glanville Group Data Protection Officer ________________________________________________________________________________ Tel: 01822 813 785 [DCH] kate.glanville@dchgroup.com www.dchgroup.com<http://www.dchgroup.com> From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Jon Baines Sent: 12 March 2018 17:55 To: data-protection@JISCMAIL.AC.UK Subject: Re: [data-protection] Verbally discussing personal data See also, for a perspective from another jurisdiction, the DPC v Shatter case in Ireland https://twitter.com/bainesy1969/status/973252424235446273?s=21 Jon Baines, Chair, nadpo.co.uk<http://nadpo.co.uk> On 12 Mar 2018, at 15:20, Palmer-Dunk, Daniel <Daniel.Palmer-Dunk@DONCASTER.GOV.UK<mailto:Daniel.Palmer-Dunk@DONCASTER.GOV.UK>> wrote: Good afternoon, I think I see where they're coming from; they [...]
2018-03-13T11:40:22+00:00Kate Glanvillehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a7ad0dfb.1803Re: SAR https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;90539002.1803
Hi,<br><br>Can I ask a question? Does this mean that a data subject can exercise any of the rights given under the GDPR verbally? It looks like they can in the GDPR and the Data Protection Bill in relation to law enforcement.<br><br>Thanks
2018-03-13T10:41:04+00:00Bill Dunnhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;90539002.1803Info. Gov. role in South West https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;cbc1f05f.1803
Morning<br><br>We have a role for an Information Governance Office in Historic England based in Swindon.<br><br>https://www.historicengland.org.uk/about/jobs/vacancies/job/?ref=8456<br>.<br><br>Kind Regards<br><br>Teresa Gudge<br>Information Governance Manager ISEB DP, CISM<br>Information Records Management<br>Historic England, The Engine House, Fire Fly Avenue, Swindon, Wiltshire, SN2 2EH<br><br>Tel: 07717 800989 (please leave message if no reply)<br>Email: teresa.gudge@HistoricEngland.org.uk<br><br>We help people understand, enjoy and value the historic environment, and protect it for the future. Historic England is a public body, and we champion everyone’s heritage, across England. [...]
2018-03-13T08:36:49+00:00Gudge, Teresahttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;cbc1f05f.1803Re: SAR https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;148f8a3c.1803
I’ve not found anything in the GDPR that says that a request has to be made<br>in writing, so I think this is a valid interpretation (happy to be proved<br>wrong as I think it’s a bit daft). I’m convinced that they don’t need to<br>mention GDPR. I don’t think they need to mention DPA at the moment. [...]
2018-03-12T13:22:02-07:00Tim Turnerhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;148f8a3c.1803Re: Verbally discussing personal data https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f6ec77fa.1803
Apologies, here is the direct link https://www.dataprotection.ie/documents/judgements/Shatter_v_DPC_Circuit_Court_21.1.15.pdf<br><br>&gt; On 12 Mar 2018, at 17:55, Jon Baines &lt;chair@NADPO.CO.UK&gt; wrote:<br>&gt;<br>&gt; See also, for a perspective from another jurisdiction, the DPC v Shatter case in Ireland<br>&gt;<br>&gt; https://twitter.com/bainesy1969/status/973252424235446273?s=21<br>&gt;<br>&gt; Jon Baines,<br>&gt; Chair,<br>&gt; nadpo.co.uk<br>&gt;<br>&gt;<br>&gt;<br>&gt;&gt; On 12 Mar 2018, at 15:20, Palmer-Dunk, Daniel &lt;Daniel.Palmer-Dunk@DONCASTER.GOV.UK&gt; wrote:<br>&gt;&gt;<br>&gt;&gt; Good afternoon,<br>&gt;&gt;<br>>> I think I see where they're coming from; they think that (in broad strokes) the GDPR/Act defines personal data as information relating to an identifiable individual processed by machine, so if the breach doesn’t [...]
2018-03-12T19:39:13+00:00<>https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f6ec77fa.1803Re: SAR https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1f9eaaed.1803
That’s certainly true as a matter of law.<br><br>On the spoken SAR point, as a matter of practice I think a) it’s going to be so rare that it’s probably only an academic point and b) a controller or processor will need to assure itself of the identity and locus of the requester, so some form of physical “transaction” will still have to take place to start the clock ticking. [...]
2018-03-12T19:13:55+00:00Jon Baineshttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1f9eaaed.1803Re: Verbally discussing personal data https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f2d98e61.1803
See also, for a perspective from another jurisdiction, the DPC v Shatter case in Ireland<br><br>https://twitter.com/bainesy1969/status/973252424235446273?s=21<br><br>Jon Baines,<br>Chair,<br>nadpo.co.uk<br><br>&gt; On 12 Mar 2018, at 15:20, Palmer-Dunk, Daniel &lt;Daniel.Palmer-Dunk@DONCASTER.GOV.UK&gt; wrote:<br>&gt;<br>&gt; Good afternoon,<br>&gt;<br>> I think I see where they're coming from; they think that (in broad strokes) the GDPR/Act defines personal data as information relating to an identifiable individual processed by machine, so if the breach doesn’t involve information in electronic form it's not processing, hence not covered by the legislation. Recent case law (https://panopticonblog.com/2017/12/29/candy-crush-es-holyoake/) suggests the manager might be right - but I wouldn’t necessarily [...]
2018-03-12T17:55:02+00:00Jon Baineshttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f2d98e61.1803SAR https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;44c7f57d.1803
Some colleagues attended a training course last week and were advised that data subjects can make verbal SARs and that these requests do not necessarily need to even mention GDPR.<br><br>Has anyone else been told this?<br><br>if so, what are your plans to try and implement this? and how would you verify the person is who they say they are? and would you do that at the beginning of the request or at the end? [...]
2018-03-12T16:10:50+00:00Stephen Lemonhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;44c7f57d.1803Re: Verbally discussing personal data https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ef9a67f4.1803
Good afternoon,<br><br>I think I see where they're coming from; they think that (in broad strokes) the GDPR/Act defines personal data as information relating to an identifiable individual processed by machine, so if the breach doesn’t involve information in electronic form it's not processing, hence not covered by the legislation. Recent case law (https://panopticonblog.com/2017/12/29/candy-crush-es-holyoake/) suggests the manager might be right - but I wouldn’t necessarily hold with that tentative judgement. [...]
2018-03-12T15:20:11+00:00Palmer-Dunk, Danielhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ef9a67f4.1803Re: Verbally discussing personal data https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e2156fe3.1803
The issue in both cases is who you discuss it with and where. Obviously<br>discussing a work-related issue with a relevant colleague in the privacy<br>of your office is neither a breach of confidentiality nor of data<br>protection. Discussing it outside those parameters - either with an<br>unauthorised person or in an insecure location (or for that matter on<br>social media) - could well be a breach of confidentiality and it could<br>also be a breach of DPA Principle 7 if the employer had failed to tell<br>told you not to do it (i.e. had not taken appropriate technical and<br> [...]
2018-03-12T15:11:33+00:00Paul Ticherhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e2156fe3.1803Verbally discussing personal data https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1705bb96.1803
Hi all<br><br>A legal colleague and myself have been having a discussion with a senior manager about verbally discussing personal data. The manager says that the DPA (or the GDPR for that matter) doesn't cover verbally discussed personal data and that that would only be a confidentiality issue. We both feel that it does; e.g. you wouldn't go out to a pub and start talking about all the people you have dealt with that day, mentioning names and health problems for example. If you did this would be a breach of principle 7. [...]
2018-03-12T14:48:32+00:00Kate Glanvillehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1705bb96.1803Re: Right to be informed https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;12158289.1803
We have followed the ICO guidance on this - we tell people:<br><br>Who we are and how they can contact the DPO (generic DP email address). What their data will be used for. Whether it will be shared with any third parties. (Consent to receive marketing emails - not in all notices on forms, but some do). Where to find more information (link to Privacy Policy page, or contact the DPO for a paper version). [...]
2018-03-12T11:53:20+00:00Michelle Brownhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;12158289.1803Re: Right to be informed https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;baa13081.1803
We are trying to adopt a standardised approach for forms (paper or electronic) at our group of colleges that follows what you describe Christine, this is the text we have adopted:<br><br>To be inserted AFTER 'Standard' PII data collection sections:<br><br>We collect your personal data above for &lt;insert lawful basis here&gt; the purpose of which is &lt;insert purpose here&gt; [...]
2018-03-12T11:41:20+00:00Ian Headleyhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;baa13081.1803Re: Right to be informed https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;95f4bd46.1803
Agreed; you have to balance providing the information with needs to make it easy to read and digest (as Donald points out). The ICO, WP29 recommend a 'layered' approach to fulfil exactly this balance. See the below from the WP29 guidelines:<br><br>The &quot;easily accessible&quot; element means that the data subject should not have to seek out the information; it should be immediately apparent to them where this information can be accessed, for example by providing it directly to them, by linking them to it, by clearly signposting it... [...]
2018-03-12T11:24:53+00:00Palmer-Dunk, Danielhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;95f4bd46.1803Re: Right to be informed https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;11fec54c.1803
I think you will find that the ICO's line is that you must tell the data subject who you are, why you are processing the information, who you will share it and how to get more information about it all. They appear to be going with concise and intelligible rather than complete and comprehensive... [...]
2018-03-12T11:13:29+00:00Donald Henderson - CHXhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;11fec54c.1803Right to be informed https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;cd369334.1803
Dear all<br><br>Has anyone come up with a neat way to comply with all of the requirements of Article 13 when the data subject is completing a paper form? Writing a bespoke privacy notice for each form seems like overkill but I don't think that providing the link to the online notice or even a QR code would meet with the requirement to inform at the time of obtaining the data! [...]
2018-03-12T10:51:01+00:00Cartwright, Christinehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;cd369334.1803Re: What A9 conditions will allow special category data to satisfy the tax man, will this require a change by HMRC? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;274e90d2.1803
Owen,<br>Thanks. That is one possibility to protect the special category data. However, the underlying question still remains, which is the need to retain special category data to confirm VAT status.<br><br>I would have thought that privacy by design would suggest that the HMRC need to revisit their procedure so that data subject does not need to spell out their disability and have that retained by a 3rd party so that the HMRC can be assured they are VAT compliant. In a way it reminds me of organisations that retain a copy of a passport as proof when they only [...]
2018-03-09T11:59:10+00:00Lawrence Serewiczhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;274e90d2.1803Adv - Certificate in Information Governance for the Health and Social Care Sector https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c7cc7fb4.1803
Colleagues<br><br>Act Now Training recently launched the Certificate in Information Governance for the Health and Social Care Sector.<br><br>This is an ideal qualification for those working in an IG team. It is designed to give delegates a solid foundation in information laws (incl. GDPR and FOI) and best practice as they apply to the health and social care sector. [...]
2018-03-09T09:28:30+00:00Ibrahim Hasanhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c7cc7fb4.1803Re: Gift Memberships https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;eecaf0dd.1803
Hi, It's intended to be a gift - surely the party issuing the gift membership (public body or not) will want to avoid being the party pooper who spoils the surprise by sending out a fair processing notice?<br><br>Can it be argued the provision of such information is likely to &quot;seriously impair the achievement of the objectives of the processing&quot; i.e. enabling the provision of a membership as a gift? Pragmatically the FPN can be given when the gift recipient claims their membership, or given to the purchaser to pass on at the time the gift is given. [...]
2018-03-08T20:16:04-00:00Chris Sprayhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;eecaf0dd.1803Re: Data processing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;71099cd5.1803
Hi Terry<br><br>In my opinion yes, it's a misunderstanding and we've had a couple of examples where an employer has tried to use a standard form of words to apply their GDPR obligations. In a specific case we asked them to change their wording and they did.<br><br>Our position is that we enrol the student, then establish our own relationship with her/him. We are not a processor on behalf of the employer. [...]
2018-03-08T12:05:20+00:00Suzy Taylorhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;71099cd5.1803Re: Gift Memberships https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;b304b05f.1803
As Adam says and see s7(2) DP Bill
2018-03-08T11:46:33+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;b304b05f.1803Re: BMA GDPR guidance to GPs https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7f65d6e.1803
Looks to be a good clear exposition which could be useful in other contexts too.<br><br>One minor quibble: footnote 13 on page 3 is probably wrong as it ignores Article 6(3) and there is a similar implication later in the guidance. The contract itself is not a qualifying legal obligation – although the underlying statutory framework may be. ICO guidance is explicit on this too : “A contractual obligation does not comprise a legal obligation in this context.”
2018-03-08T11:41:03+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7f65d6e.1803Re: Gift Memberships https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;9cd21210.1803
David,<br>If the gift membership service provided by a public body is not part of their core services (i.e. does not come under the basis of ‘exercise of official authority’) then this is where a public body CAN use legitimate interests. The ban on legitimate interests for public bodies under GDPR is only for their public service tasks. The public body should be contacting Person B about the membership that’s been bought on their behalf and at that point under Article 14 of GDPR should be providing the privacy notice/fair processing information. (This is assuming none of this uses special [...]
2018-03-08T11:33:37+00:00TUCKETT, Adam (NHS SOUTH, CENTRAL AND WEST COMMISSIONING SUPPORT UNIT)https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;9cd21210.1803Gift Memberships https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;728a31eb.1803
Hi all,<br>Another thorny question.<br>Person A orders and pays for an annual gift membership, from a public body, for Person B. As part of that gift Person A must give personal data (Name, address, email) of Person B. Person B will not have consented to the personal data being processed, passed to 3rd Party as part of the membership or had the opportunity to read any privacy notices. What is the legal basis for processing between public body and Person B? <br>This may be REALLY simple but my brain is not computing!<br>ThanksD
2018-03-08T11:14:11+00:00david.paris@sky.comhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;728a31eb.1803Re: Data processing [UNC] https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;eeffa27f.1803
I think you're right Terry. If I was College X I would refuse to sign the form.<br><br>Ciaran Ward<br>Information Rights Officer<br>Guildford Borough Council<br><br>From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Terry Hutchinson<br>Sent: 08 March 2018 10:57<br>To: data-protection@JISCMAIL.AC.UK<br>Subject: [data-protection] Data processing<br><br>Hi All<br><br>I hope someone might be able to help with a query please? [...]
2018-03-08T11:03:49+00:00Ciaran Wardhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;eeffa27f.1803Re: What A9 conditions will allow special category data to satisfy the tax man, will this require a change by HMRC? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;748aa2c8.1803
Could you not remove the Customer's name &amp; address from the form/s, replace with the Adult Services PID reference number and then store? HMRC can still check the forms in the VAT records, but if they need to check (dip-sample perhaps) the veracity of the paperwork, they've a reference to link to checkable data? [...]
2018-03-08T11:01:12+00:00Owen Thomashttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;748aa2c8.1803Data processing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;444bda83.1803
Hi All<br><br>I hope someone might be able to help with a query please?<br><br>Company A has booked one of their employees (we'll call them 'Jim' here) onto a course with College X. Naturally, some personal data will be provided, either by Company A, Jim, or both (for example, name, address, date of birth, contact details). Indeed, Company A sent Jim's name across as part of the initial booking. [...]
2018-03-08T10:56:47+00:00Terry Hutchinsonhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;444bda83.1803BMA GDPR guidance to GPs https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ffce5192.1803
https://www.bma.org.uk/advice/employment/ethics/confidentiality-and-health-records/gps-as-data-controllers<br><br>Our GDPR e learning course is ideal for training frontline staff.<br><br>http://www.actnow.org.uk/elearning<br><br>Ibrahim Hasan<br><br>Act Now Training
2018-03-07T21:50:26+00:00Ibrahim Hasanhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ffce5192.1803due diligence questions within tenders and procurement processes - more questions than answers https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7011271c.1803
Good afternoon all,<br><br>I'm reviewing our procurement policy and processes to ensure the new provisions are applied and to incorporate due diligence at tender stage and amends to contacts, both current and new, post 25th May 2018.<br><br>We are not a public authority but to ensure good practice we follow the Crown Commercial Service guidance. I have consulted the Procurement Policy Note&lt;https://www.google.co.uk/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=2&amp;ved=0ahUKEwiltKjByNrZAhXLK8AKHa9kBh0QFgg0MAE&amp;url=https%3A%2F%2Fwww.gov.uk%2Fgovernment%2Fuploads%2Fsystem%2Fuploads%2Fattachment_data%2Ffile%2F674575%2FFINAL_PUBLISHED_GDPR_PPN_03-17.docx.pdf&amp;usg=AOvVaw0ZBpUhI23TX3VrBCg7NZHz&gt; PPN 03/17 released in December 2017. It contains some good advice and useful documentation. The PPN however appears to only cover data controller to processor relationships and doesn't take account that a contractor/supplier could be a data controller. [...]
2018-03-07T17:41:52+00:00Johnson, Carol (IT)https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7011271c.1803Re: What A9 conditions will allow special category data to satisfy the tax man, will this require a change by HMRC? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;b5c6a7cf.1803
Lawrence,<br><br>Would it not be covered by clause 9(1) - prevention and detection of unlawful acts (namely fraud) - of part 1 of schedule 1 of the DPBill by virtue of 9(g) - substantial public interest - of the GDPR?<br><br>Dan<br><br>From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Lawrence Serewicz<br>Sent: 07 March 2018 12:35<br>To: data-protection@JISCMAIL.AC.UK<br>Subject: [data-protection] What A9 conditions will allow special category data to satisfy the tax man, will this require a change by HMRC? [...]
2018-03-07T12:56:07+00:00Palmer-Dunk, Danielhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;b5c6a7cf.1803What A9 conditions will allow special category data to satisfy the tax man, will this require a change by HMRC? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;72a8f8c1.1803
Dear All,<br>I have the following scenario.<br><br>A person applies to the council for a stair lift in their home. They are disabled. We go out and agree to fit the lift.<br><br>As part of that process, we have to get them to complete an HMRC form where they confirm they are disabled and describe their disability.<br>https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/419380/Eligibility_Declaration_Disabled_-_March_2015__2_.pdf [...]
2018-03-07T12:35:27+00:00Lawrence Serewiczhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;72a8f8c1.1803Blagger Interview https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1803d008.1803
'I was nothing more than a common thief' &gt; Fascinating interview with an information blagger:<br><br>http://tinyurl.com/yaew9tg9<br><br>Ibrahim Hasan<br><br>Solicitor and Director<br>Act Now Training Limited<br><br>www.actnow.org.uk
2018-03-07T08:49:31+00:00Ibrahim Hasanhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1803d008.1803Re: Photography Consent Form https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;49c1709b.1803
That is more a consent/contract for artists or photographers giving up IP than for individuals having their photo taken. So I'd replace with something easy to understand that, as Phil says, allows for removal of consent. I think you also need to give a retention period as it's probably not reasonable to expect to use the photos in perpetuity. [...]
2018-03-06T14:30:34+00:00Blyth, Victoriahttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;49c1709b.1803Re: Photography Consent Form https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;308ee505.1803
Our statement is way too long to post here Mick, I will email you one over to look at.<br><br>Bear in mind our current one won't be the one going forward, it will be reviewed in May with all our other policies, consents etc.<br><br>Ian Headley<br>Data Protection Officer<br>RNN Group<br><br>M 07810 802777<br>Twitter : @rnndataprotect [...]
2018-03-06T14:08:55+00:00Ian Headleyhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;308ee505.1803Re: Photography Consent Form https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;9aa730f4.1803
I'd regard the document below as a contract rather than a consent as it is defining an irrevocable licence agreement and as such does not allow for withdrawal of agreement.<br><br>-----Original Message-----<br>From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Michael Lockton<br>Sent: 06 March 2018 13:55<br>To: data-protection@JISCMAIL.AC.UK<br>Subject: [data-protection] Photography Consent Form [...]
2018-03-06T13:59:49+00:00Phil Oakmanhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;9aa730f4.1803Photography Consent Form https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e7f5a2c.1803
I am assisting in the updating of our photography/video consent form, and bearing in mind the advice of the ICO that consent should be easy to understand, I am faced with a dilemma. Should I rewrite the following legalise or just delete it from the form! Opinions most welcome. (My vote is delete at the moment) [...]
2018-03-06T13:54:51+00:00Michael Locktonhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e7f5a2c.1803Re: Key logging and screen grabbing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1fd8d8c4.1803
Hi,<br><br>Not all keystrokes are sent to them. Each workstation has a locally encrypted DB as part of the client software which is used for trigger lookups. Only lookup hits trigger an action that will send information off site for analysis. This info is: a screenshot, logged on username, time stamp, computer name. [...]
2018-03-06T12:21:02+00:00Dave Kingshttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;1fd8d8c4.1803Fining Levels https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a813e913.1803
Afternoon all,<br><br>This might be a simple question and I’ve missed something obvious, but humour me…<br><br>Hypothetical situation under GDPR:<br>An organisation has a serious personal data breach that is likely to attract an administrative fine. Let’s say the only factor in the breach was a lack of a basic technical security control which led to a hacker being able to compromise customer data. [...]
2018-03-06T12:07:13+00:00Peter Dinsdalehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a813e913.1803Re: Key logging and screen grabbing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;72cd8054.1803
Hi Dave ... I think you might be right :)<br><br>To clarify my understanding, do all keystrokes not have to be sent to eeeeeeeeeee for them to analyse against their database?<br><br>Basically they do not want to be classed as a processor, they want to be data controller. Hence the impasse.<br><br>The fact that we have made little attempt to make anyone aware of this product nor engaged with stakeholders worried me. I take on board the efforts you made and think we should be doing the same. This statement from the DFE (admittedly schools) also bears you out: [...]
2018-03-06T10:30:37+00:00Ian Headleyhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;72cd8054.1803Re: Key logging and screen grabbing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;894f40d0.1803
Hi Ian,<br><br>I'm pretty confident that I know who you are talking about (something 'Safe'....)<br><br>The software does not record all keystrokes, only those that are in the alert database. I'd be interested to know on what grounds they are refusing to sign your document?<br><br>Lawrence, the system does not distinguish, the analyst will make that call and notify a contact at the customers premise. It is then up to that customer to decide what to do. It doesn't work like web filtering. [...]
2018-03-06T09:40:54+00:00Dave Kingshttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;894f40d0.1803Re: Monitoring at Work https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7c02cb54.1803
I seem to have posted the following on the wrong thread earlier.This is the right spot!<br><br>I cannot see any basis for not supplying retention here.But as others have suggested, in general that will be at the bottom layer &quot;for further information about how we look after your data see ... &quot; and even there it will generally be by reference to the RM policy and schedule - a deeper layer again. [...]
2018-03-05T18:52:56+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;7c02cb54.1803Re: DPA Section 1(4) / DP Bill Section 6 https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;990f4dd1.1803
As an addendum to my previous post I have belatedly noticed that s6 DP Bill is probably incompatible with GDPR.It refers to &quot;the person on whom the obligation to process the data is imposed by the enactment&quot; which is not the same as Article 4(7) &quot;where the purposes and means of<br>such processing are determined by Union or Member State law,&quot;. [...]
2018-03-05T18:49:48+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;990f4dd1.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e9068ad3.1803
I cannot see any basis for not supplying retention here.But as others have suggested, in general that will be at the bottom layer &quot;for further information about how we look after your data see ... &quot; and even there it will generally be by reference to the RM policy and schedule - a deeper layer again. [...]
2018-03-05T17:47:31+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e9068ad3.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f5653d13.1803
I am not an expert here but would it not be based upon what gave the employer the ability to contact A? If A has expressed an interest about future jobs the would that not be consent any way. Would it not come down to how did the employer get A's details in the first place to know that A might be looking for a job? If the information was improperly processed (obtained or just sent at random) under the DPA in the first police, use of the information could be in contravention too regardless of whether it was marketing [...]
2018-03-05T16:51:08+00:00Bill Dunnhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f5653d13.1803Information sharing & youth work https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;24849e8d.1803
Hi everyone,<br><br>The organisation I work for has won funding to carry out youth work in the local town, and a lot of the work will be carried out on our behalf by a couple of small charities. They will be signing young people up to the programme, and the charities will be using our database. So all the personal data will be hosted by us on our database. The information flow will be one way, from the charities to us. In my thinking we are the data controller, and they will be the data processors. I'm thinking that we [...]
2018-03-05T16:39:57+00:00Melanie Watsonhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;24849e8d.1803Re: Monitoring at Work https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e32ee55d.1803
Thanks Ian,<br><br>That was one of the approaches I was considering.<br><br>-----Original Message-----<br>From: Ian Headley [mailto:ianheadley@rnngroup.ac.uk]<br>Sent: 05 March 2018 14:49<br>To: Speirs, Seth; data-protection@JISCMAIL.AC.UK<br>Subject: RE: Monitoring at Work<br><br>Your data retention periods will be classed 'public information' so should be publicised on your web site, you will also have an opportunity to advise of disposal methods at that point, this is what we are working towards presently. Saves over populating the privacy notice itself. [...]
2018-03-05T15:43:44+00:00Speirs, Sethhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;e32ee55d.1803Re: Monitoring at Work https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;765909dc.1803
Your data retention periods will be classed 'public information' so should be publicised on your web site, you will also have an opportunity to advise of disposal methods at that point, this is what we are working towards presently. Saves over populating the privacy notice itself.<br><br>Regards.<br><br>Ian Headley<br>Data Protection Officer<br>RNN Group [...]
2018-03-05T14:48:52+00:00Ian Headleyhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;765909dc.1803Monitoring at Work https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f813d56a.1803
As part of our preparations for GDPR we are reviewing our Monitoring at Work Policy.<br><br>As this is essentially a privacy notice for staff on our monitoring activities, I was wondering whether we needed to include retention and disposal information in it.<br><br>The vast majority of monitoring that is done is on information that is already held and disposed of under normal business operations, but there would be some areas such as CCTV and card access systems that would be outside normal line of business systems. [...]
2018-03-05T14:22:55+00:00Speirs, Sethhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;f813d56a.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;27a771ad.1803
The definition James gives definitely doesn't match the ICO view in para<br>35 of the Guidance on Direct Marketing:<br><br>/This definition covers any advertising or marketing material, not<br>just commercial marketing. All promotional material falls within<br>this definition, including material promoting the aims of<br>not-for-profit organisations. ... It will also cover any messages<br>which include some marketing elements, even if that is not their<br>main purpose./ [...]
2018-03-05T14:21:28+00:00Paul Ticherhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;27a771ad.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;2000c2eb.1803
I'm open to argument on the issue - I suppose perhaps I'm leaning towards 'yes' because (even if it doesn’t fall in the strict definition) it is the kind of communication that I would expect to have the same levels of control over as marketing material. I would suspect organisations and individuals might both consider unsolicited job adverts counter-productive. [...]
2018-03-05T14:11:17+00:00Palmer-Dunk, Danielhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;2000c2eb.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;2cec3588.1803
Two responses - 50-50<br><br>Jim's definition may work for some purposes but not here. Market research clearly not marketing, and marketing clearly wider than promoting or selling goods and services. At the moment I am inclined to &quot;not marketing&quot; - its more like a type of research &quot;Do you like apples&quot; vs &quot;do you like the look of these jobs ?&quot;
2018-03-05T14:04:54+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;2cec3588.1803Re: FW: Hawktalk: How the Data Protection Bill reduces data subject rights and, in particular, workers' rights https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;b0fb23a1.1803
Chris<br><br>It's all very convoluted I know, but I'm not sure it makes much change from the present. For example you suggest there is currently limited protection for manual unstructured but s33A(1)(a) disapplies principle 7 already. Is clause 24(2) any different?<br><br>The whole point behind s33A and clauses 21/24 was always to ensure the s40 FOIA exemption could be applied - that is based on breach of the principles which could only apply by making manual unstructured data come within the definition, but then to remove most of the protections to ensure parity with private organisations. [...]
2018-03-05T13:58:01+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;b0fb23a1.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;87aa1115.1803
No,<br><br>The definition of marketing is: 'the action or business of promoting and selling products or services, including market research and advertising'. Telling me you have a vacancy isn't any of these.<br><br>Jim<br><br>-----Original Message-----<br>From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Phil Bradshaw<br>Sent: 05 March 2018 13:26<br>To: data-protection@JISCMAIL.AC.UK<br>Subject: [data-protection] Marketing? [...]
2018-03-05T13:40:37+00:00Carroll Jameshttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;87aa1115.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;8626e88c.1803
I would say this falls into the category of promoting the aims and ideals of an organisation - so it’s a yes from me.<br><br>Dan<br><br>-----Original Message-----<br>From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Phil Bradshaw<br>Sent: 05 March 2018 13:26<br>To: data-protection@JISCMAIL.AC.UK<br>Subject: [data-protection] Marketing?<br><br>Brain refusing to work today. [...]
2018-03-05T13:39:11+00:00Palmer-Dunk, Danielhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;8626e88c.1803Re: Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ff78fa8c.1803
Yes<br><br>Teresa Gudge<br>Information Security &amp; Data Protection Manager ISEB DP, CISM<br>Information Records Management<br>Historic England, Room G/60, The Engine House, Fire Fly Avenue, Swindon, Wiltshire, SN2 2EH<br><br>Tel: 07717 800989 (please leave message)<br>Email: teresa.gudge@HistoricEngland.org.uk<br><br>We help people understand, enjoy and value the historic environment, and protect it for the future. Historic England is a public body, and we champion everyone’s heritage, across England. [...]
2018-03-05T13:34:44+00:00Gudge, Teresahttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;ff78fa8c.1803Marketing? https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;87348859.1803
Brain refusing to work today.<br><br>Employer contacts a person, A, to say he has vacancies A might be interested in.<br><br>Is this &quot;marketing&quot;.?
2018-03-05T13:26:08+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;87348859.1803FW: Hawktalk: How the Data Protection Bill reduces data subject rights and, in particular, workers' rights https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;5043182f.1803
How the Data Protection Bill reduces data subject rights and, in particular,<br>workers' rights<br><br>Just published on Hawktalk: &lt;http://amberhawk.typepad.com/amberhawk/&gt;<br>http://amberhawk.typepad.com/amberhawk/<br><br>Given that it is the Second Reading of the Data Protection Bill (DPBill)<br>today, I thought I would write a series of blogs identifying where the<br>DPBill is deficient; this is especially important, as last Friday, the Prime<br>Minister stated that a high standard of data protection was essential to a<br>prosperous, post-Brexit, Britain and that &quot;The UK has exceptionally high<br>standards of data protection&quot;. [...]
2018-03-05T09:50:33-00:00Chris Pounderhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;5043182f.1803Data Protection E-learning course https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;4bceddf.1803
Hi all,<br><br>I am looking for a practical e-learning course that is focused on data protection, with real life examples/scenarios.<br><br>I have had a look at a few and have not found one, that meets my expectations. Any suggestions?<br><br>Kind Regards<br>Indy<br><br>Did you know? You can now raise a ticket with the Data and Information team on any service request, using OTRS&lt;https://servicedesk.bmet.ac.uk/otrs/customer.pl&gt; [...]
2018-03-03T19:45:03+00:00Inderpal Virdeehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;4bceddf.1803Job vacancy - Information Goverance Lead - Care Inspectorate Scotland https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;32202789.1803
Apologies for cross posting<br><br>Please find below details of a vacancy currently being advertised at the Care Inspectorate<br><br>Position: Information Governance Lead<br>Location: Dundee or any Care Inspectorate office<br>Salary: £43,023 to £49,425<br>Contract: Permanent<br>Closing date: Sunday 18th March 2018<br><br>For more information and to find out how to apply, click on the link below<br><br>http://www.careinspectorate.com/index.php/job-vacancies-recruitment/10-organisation/4280-information-governance-lead<br><br>Cheers<br>Heather
2018-03-02T17:07:14+00:00Heather Jackhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;32202789.1803Re: Key logging and screen grabbing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;4e609032.1803
If nothing else it would be wise to anticipate and plan for a formal complaint to ICO within a few days of inception - or possibly even an action for an injunction
2018-03-02T14:14:17+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;4e609032.1803Re: Friday Snow Question Consent, 6b or 6e (the job application question) https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;8d24cff2.1803
As written in both cases you reply to the caller, and in the second case you make no mention or record of BBB. You have no evidence BBB is even aware of the use of his name or that he exists. Not yet your problem.<br><br>In the second case you could, as good service, explain what is needed for BBB to make the application in addition to the normal information, including fair processing stuff you send, but not strictly required. What happens next is up to the caller and BBB (if he exists). [...]
2018-03-02T14:09:40+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;8d24cff2.1803Re: Key logging and screen grabbing https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;afeff41e.1803
Ian,<br>Interesting post.<br><br>Leaving aside the privacy issues and the DPA issues, you face another difficulty with this approach.<br><br>If someone is discussing Tom Paine or Malcolm X how will the system distinguish between education and extremism?<br><br>A further issue is that much of the radicalisation is moving away from overt methods, such as YouTube, to a more subtle form in which &quot;book clubs&quot; look at works by authors with titles that might not appear to be problematic unless you are deeply immersed in the literature or the movement. [...]
2018-03-02T14:01:02+00:00Lawrence Serewiczhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;afeff41e.1803Friday Snow Question Consent, 6b or 6e (the job application question) https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;208cf25e.1803
Dear All,<br>I am trying to think through the following scenarios to determine which lawful basis applies.<br><br>Scenario A) Person YYY rings up a public authority. &quot;I would like to request a job application.&quot;<br>Scenario B) Person DDD rings up a public authority. &quot;I would like a job application on behalf of my cousin BBB who is travelling abroad without a fixed address or an email account.&quot; [...]
2018-03-02T13:52:41+00:00Lawrence Serewiczhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;208cf25e.1803Re: DPA Section 1(4) / DP Bill Section 6 https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a7371a22.1803
Well it will not be the first time I have disagreed with ICO guidance or the first time I have been wrong.<br><br>On the other hand it will not be the first time ICO guidance has been wrong.<br><br>I can readily accept the conclusion in the specific example. I can envisage setting up such a complaints service as data processing. [...]
2018-03-02T12:15:39+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;a7371a22.1803Re: DPA Section 1(4) / DP Bill Section 6 https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;4f17b28c.1803
Thanks Phil,<br><br>I think I agree with your interpretation, and that is how I have always read it, just for some reason the ambiguity stood out this morning....<br><br>I also think your view on the issue of &quot;the data controller&quot; has to be right, but I'm not sure the ICO agrees, given the example I've just found in their guidance note: [...]
2018-03-02T10:29:12+00:00Peter Dinsdalehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;4f17b28c.1803Re: DPA Section 1(4) / DP Bill Section 6 https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;dcfa739b.1803
Peter<br><br>I have always struggled to understand quite why this section was necessary, given the definition of data controller, but my real problem is with it saying &quot;the data controller&quot; as opposed to &quot;a data controller&quot;.<br><br>Firstly I think it has to have the wider interpretation you suggest - that would come within &quot;required under&quot; as opposed to &quot;required by&quot;. [...]
2018-03-02T10:11:58+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;dcfa739b.1803DPA Section 1(4) / DP Bill Section 6 https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;2cb567d5.1803
Morning all,<br><br>I'm having a bit of a brainfreeze (hardly surprising given the weather out there), so hoping someone can clarify this for me - I may be overthinking it.<br><br>Section 1(4) of the DPA says:<br>Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller. [...]
2018-03-02T09:11:37+00:00Peter Dinsdalehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;2cb567d5.1803Re: Vacancy - Information Governance Lead - Edinburgh https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;413dc757.1803
With correct link this time....<br><br>Hi there<br><br>Apologies for cross posting this vacancy<br><br>Information Governance Lead<br><br>Salary band £34,914 - £37,609<br><br>37 hours per week (full time, permanent, Edinburgh)<br><br>To apply click on the link below<br>http://www.chscotland.gov.uk/about-chs/vacancies/information-governance-lead/<br><br>Want to combine your experience of working in an Information Governance environment with making a positive and life changing difference to the lives of children and young people? We have an exciting opportunity for an enthusiastic and highly motivated individual to join and lead our Information Governance function. [...]
2018-03-01T17:03:10+00:00Sinead Lammiehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;413dc757.1803Vacancy - Information Governance Lead - Edinburgh https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c319da3c.1803
Hi there<br><br>Apologies for cross posting this vacancy<br><br>Information Governance Lead<br><br>Salary band £34,914 - £37,609<br><br>37 hours per week (full time, permanent, Edinburgh)<br><br>To apply click on the link below<br>http://www.chscotland.gov.uk/about-chs/vacancies/information-govnernance-lead/<br><br>Want to combine your experience of working in an Information Governance environment with making a positive and life changing difference to the lives of children and young people? We have an exciting opportunity for an enthusiastic and highly motivated individual to join and lead our Information Governance function. [...]
2018-03-01T14:41:11+00:00Sinead Lammiehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;c319da3c.1803Re: Unravel This One https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;cfee3294.1803
A combination of 2 and 3 sounds like the pragmatic approach to this one!!<br><br>Regards,<br>Peter<br><br>Peter Dinsdale<br>Data Protection Consultant<br><br>Perfect Image /<br>T: 0191 238 0111<br>www.perfect-image.co.uk<br><br>Follow us on Twitter http://twitter.com/perfectimage<br><br>-----Original Message-----<br>From: This list is for those interested in Data Protection issues [mailto:data-protection@JISCMAIL.AC.UK] On Behalf Of Phil Bradshaw<br>Sent: 01 March 2018 10:14<br>To: data-protection@JISCMAIL.AC.UK<br>Subject: [data-protection] Unravel This One [...]
2018-03-01T11:59:56+00:00Peter Dinsdalehttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;cfee3294.1803Unravel This One https://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;13b3968a.1803
I am currently working as DPO for an NHS Foundation Trust.<br><br>This Trust is 'host' for a Local Clinical Research Network (LCRN). The LCRN is part of the National Institute for Health Research (NIHR). There is an extensive 'contract' (this is an NHS contract!) between the LCRN and the Trust as host. LCRN staff are employed by the Trust and are subject to all its policies and procedures including audit data protection and security and training (but with at least one apparent exception referred to below). [...]
2018-03-01T10:13:56+00:00Phil Bradshawhttps://www.jiscmail.ac.uk:443/cgi-bin/webadmin?A2=data-protection;13b3968a.1803